The growing demand for more secure, more reliable and more convenient user authentication solutions for mobile devices is accepted and publicized in the industry.
It is expected that biometrics will replace passwords, particularly on mobile platforms, as long passwords are difficult to remember and difficult to type on such devices. For example, in order to improve user experience, many manufacturers of mobile phones have embedded fingerprint sensors in their recent devices, and it is expected that users will increasingly adopt biometrics in order to access their device and/or specific functions thereon. Other types of biometric authentication include iris recognition and voice recognition. Multiple different types of authentication (e.g. passwords, fingerprint/iris/voice recognition, etc) may be combined in order to increase the security of a particular operation.
While the use of biometrics in general increases the security of a particular operation, by ensuring the person requesting that the operation be carried out is a registered user of that device, biometric solutions are not invulnerable to attacks from third parties. For example, a fingerprint of a particular user may be stolen (e.g. “lifted” from an object the user has touched) by a third party intent on using that fingerprint to access the user's device. The user's voice may be recorded by a third party and played back to the device in order to bypass voice biometric security. A picture of the user's iris may be acquired and used to bypass iris recognition software.
All of these techniques require significant effort on the part of the third party attempting to gain access to the user's device. Further, even if successful, the techniques allow that third party access to just a single device at a time. A more modern technique for bypassing biometric security systems, requiring fewer resources and scalable to multiple devices at a time, may involve the surreptitious installation of malware on the user's device. For example, such malware may be able to bypass or otherwise prevent security processes from functioning effectively, and thus allow the third-party attacker access to the devices on which it is installed.
A mechanism is therefore required to defend biometric authentication systems against such software-based attacks.